FERC on Jan. 18 said that it has proposed to approve new mandatory reliability standards to bolster supply chain risk management protections for the country’s bulk electric system.
The proposed standards are intended to augment current critical infrastructure protection standards to mitigate cybersecurity risks associated with the supply chain for the grid-related cyber systems, FERC said.
NERC proposed the standards in response to FERC Order No. 829, which directed NERC to develop standards to address supply chain risk management for industrial control system hardware and software, as well as computing and networking services, FERC said.
As noted in FERC’s Jan. 18 Notice of Proposed Rulemaking (NOPR), NERC explained that proposed Reliability Standard CIP-013-1, for instance, addresses the risk associated with information system planning, as well as vendor risk management and procurement controls, the third and fourth objectives outlined in Order No. 829. The proposed reliability applies only to responsible entities and does not directly impose obligations on suppliers, vendors, or other entities that provide products or services to responsible entities, the NOPR said.
The NOPR concludes that NERC’s proposals constitute substantial progress in addressing the supply chain cybersecurity risks identified by FERC.
However, FERC added, the NOPR also finds that a significant cybersecurity risk remains because the proposed standards exclude electronic access control and monitoring systems (EACMS), physical access controls (PACs), and protected cyber assets (PCAs).
To address that gap, FERC said that it proposes to direct NERC to include EACMS associated with medium- and high-impact bulk electric system cyber systems within the scope of the supply chain risk management reliability standards, as well as to evaluate the risks presented by PACs and PCAs as part of a study already proposed by the NERC board.
FERC Commissioner Cheryl LaFleur, in a statement attached to the order, explained her vote in support of the Jan. 18 order, given her dissent on the FERC order that directed the development of the standards.
She added that while she remains concerned that the supply chain is a significant cyber vulnerability for the bulk power system, she believes that FERC was proceeding to quickly to require a supply chain standard, without having sufficiently worked with NERC, industry, and others on how to design an effective, auditable, and enforceable standard.
The proposed standards would provide significant flexibility to registered entities to determine how best to comply with their requirements, she said, adding that that flexibility presents potential risks and benefits.
“It could allow effective, adaptable approaches to flourish, or allow compliance plans that meet the letter of the standards but do not effectively address supply chain threats,” she said. “I hope that we will see more of the former, but I believe the commission, NERC, and the regional entities should closely monitor implementation if the standards are ultimately approved.”
Among other things, LaFleur said that she believes that FERC is appropriately proposing to direct a modification to the proposed standards to address an identified reliability gap regarding EACMS, and that she supports the proposal to require NERC to include PACs and PCAs within its ongoing assessment of the supply chain risks posed by low-impact bulk electric system cyber systems.
Comments on the NOPR are due 60 days after publication in the Federal Register, FERC said in its statement.
FERC also noted that in a separate order, it approved a series of new emergency preparedness and operations (EOP) reliability standards, which the commission said will enhance reliability by, for instance, providing accurate reporting of events to NERC’s event analysis group to examine the impact on reliability of the grid, and delineating the roles and responsibilities of entities that support system restoration from blackstart resources.